(#4680) Reject CA network operations when master CA is disabled

When the master has CA function explicitly disabled, it would still respond to
networked REST requests. They accessed the local certificate store and,
generally, provided quite unexpected results.

For example, if a CSR was submitted it would be accepted successfully and
ignored; no further action, despite the fact that the master would never do
anything with it, and it could not be acted on.

Now, instead, we explicitly fail for remote requests. This delivers a clear,
unambiguous error message to the agent and stops them functioning - a much
better outcome overall.

Signed-off-by: Daniel Pittman <daniel@puppetlabs.com>